Add or edit entity properties

Supported in:

Add or edit entity enrichment properties from various pages as part of your case investigation, to let you work more efficiently during a case investigation. You can add 100 entity properties to a single entity.

Add or edit an entity enrichment on the following pages:

  • Investigation: drill down to the required case and click Explore to open the Investigation page.
  • Entity Explorer: drill down to the required case and select the required entity in the Entity Highlights widget. The Entity Explorer page opens.
  • Cases (Entities Highlights): drill down to the required case, select the required entity from the Entities Highlights widget, and click View more. A side drawer opens with the entity properties.
  • Cases (Entities Graph): drill down to the required case, select the Entities Graph widget, and click the entity icon. A side drawer opens with the entity properties.

Edit an entity property

This example involves a case with a potential malware threat. The file attached to the case was marked as suspicious with low confidence. After running a TI enrichment block and comparing it to previous cases with similar results, you're sure this file is malicious. Update the confidence level of the suspicious hash from Low to High.

To edit an entity property, follow these steps:

  1. Go to the Cases page.
  2. Drill down to the Virus Found or security risk found case, and click Explore. The Investigation page opens.
  3. Click the file hash entity icon on the Investigation page.
  4. Hold the pointer over the confidence_level value in the side drawer. Three dots appear.
  5. Click more_vert More and select View or edit property from the menu.
  6. In the dialog, change the value of Confidence_level from Low to High to highlight the potential risk of the hash entity. You can also select the format for displaying data in the side drawer.
  7. Click Save.

The confidence level of the entity is updated and reflected in the side drawer.

Add an entity property

As part of the investigation, include other entity keys to enrich your case investigation. Identify the kind of malware being used to better understand the threat. This example shows how to create a new entity property called Malware_family.

To add an entity property follow these steps:

  1. Go to the Cases queue.
  2. Select the Virus Found or Security Risk Found case, and click Explore. The Investigation page opens.
  3. Click add Add at the top of the side drawer.
  4. Enter Malware_family as the Key, and enter Trojan.Generic as the Value.
  5. Click Save to add the new entity property.

The new enrichment provides an additional layer of understanding during your case investigation.


Need more help? Get answers from Community members and Google SecOps professionals.